Download presentation

Presentation is loading. Please wait.

Published byIsaiah Ayers Modified over 2 years ago

1
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland

2
Two-party computation Distance? NYCLA 2800

3
Two-party computation Fairness: If either player learns the output, then the other player does also. Impossible in general [Cleve86]

4
Dealing with this impossibility Fairness for specific functions [GHKL08] Partial fairness [BG89, GL90, GMPY06, MNS09, GK10], … Physical assumptions [LMPS04, LMS05, IML05] Here: assume rational behavior Generalizing prior work on rational secret sharing [HT04, GK06, LT06, ADGH06, KN08, FKN10], …

5
Our results (high level) Consider an ideal-world evaluation of the function (using a trusted third party) Look for a game-theoretic equilibrium in that setting Theorem (informal): If behaving honestly is a strict Nash equil. in the ideal world, then there is a real-world protocol that is fair when players are rational

6
Putting our result in context Much recent interest in combining game theory and cryptography Applying game theory to cryptographic tasks (bypass impossibility, increase efficiency, …) Using cryptography to remove a mediator [CS82, Forges90, Barany92, DHR00, …] Defining cryptographic goals in game-theoretic terms [ACH11] Had appeared to give a negative answer regarding fairness

7
The real-world game 1. Parties running a protocol to compute some function f 2. Receive inputs x 0, x 1 from known distribution 3. Run the protocol… 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

8
Goal Design a rational fair protocol for f, i.e., such that running the protocol honestly is a computational Nash equilibrium That is, no polynomial-time player can gain more than negligible utility by deviating Note: stronger equilibrium notions have been considered in other cryptographic contexts We leave these for future work

9
Asharov-Canetti-Hazay (2011) They consider a special case of our real-world game (with different motivation): Uniform, independent binary inputs x 0 and x 1 Computing XOR Utilities given by: Results: There exists a rational protocol with correctness ½ No rational protocol can be correct with probability better than ½ RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

10
Asharov-Canetti-Hazay (2011) But wait! Guessing randomly is also an equilibrium… …and achieves the same payoff as any possible protocol (even with a trusted party) Parties may as well not run the protocol at all! RightWrong Right(0, 0)(1, -1) Wrong(-1, 1)(0, 0)

11
The ideal-world game 1. Receive inputs x 0, x 1 from known distribution 2. Send an input (or ) to the ideal functionality 3. Receive an output (or ) from the functionality 4. Output an answer 5. Utilities depend on both outputs, and the true answer f(x 0, x 1 ) D

12
Utilities RightWrong Right(a 0, a 1 )(b 0, c 1 ) Wrong(c 0, b 1 )(d 0, d 1 ) Payoff Matrix (Assume b > a d c)

13
Honest strategy of P 0 (ideal world) Send true input x 0 to functionality Output the answer given by the functionality If functionality gives, generate output according to distribution W 0 (x 0 ) Not used in an honest execution, but must exist. We can assume W 0 (x 0 ) has full support.

14
Our result Honest behavior is a strict Nash equilibrium in the ideal world There exists a real- world protocol that is rational fair (Fail-stop or Byzantine setting) Not true in [ACH11]

15
Our protocol I Use ideas from [GHKL08, MNS09, GK10] ShareGen Choose i* from geometric distribution with parameter p For each i n, create values r i, 0 and r i,1 If i i*, r i, 0 and r i,1 are the desired outputs If i < i*, r i, 0 and r i,1 are chosen according to distributions W 0 (x 0 ) and W 1 (x 1 ) Secret-share each r i, j value; give one share to P 0 and the other to P 1

16
Our protocol II Compute ShareGen (unfairly) In round i, parties exchange shares P 0 learns r i,0 and P 1 learns r i, 1 If the other player aborts early, output the last value learned If the protocol finishes, output r n,0 and r n,1

17
Analysis – will P 0 abort early? Assume P 0 is notified once i* has passed Aborting after this point cannot help If P 0 doesnt abort early utility a 0 If P 0 aborts early…. … in round i* utility b 0 … before round i* utility strictly less than a 0 Both correct P 0 correct, P 1 incorrect From ideal world equilibrium assumption

18
Analysis – will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* Utility if this is i* Probability this is before i* Expected utility if this is before i* + =

19
Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* Expected utility if this is before i* +

20
Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 Probability this is before i* a 0 - constant +

21
Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y and this is i*] Pr[P 0 gets y] When P 0 sees output y in round i:

22
Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] Pr[P 0 gets y] Pr[this is i*] When P 0 sees output y in round i:

23
Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*]Pr[this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this is i*] Pr[this isnt i*] +

24
Analysis – Will P 0 abort early? Probability this is i* = Pr[P 0 gets y | this is i*] When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[P 0 gets y | this is i*] Pr[this isnt i*] + p p

25
Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] Pr[this isnt i*] + p p constant

26
Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: Pr[P 0 gets y | this isnt i*] + p p constant 1-p

27
Analysis – Will P 0 abort early? Probability this is i* = When P 0 sees output y in round i: + p p constant 1-p constant > 0 Can make arbitrarily low by choice of p

28
Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is i* b0b0 a 0 - constant + Probability this is before i*

29
Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort Probability this is before i* arbitrarily lowb0b0 a 0 - constant +

30
Analysis – Will P 0 abort early? When P 0 sees output y in round i: Expected utility if abort arbitrarily lowb0b0 1 – arbitrarily lowa 0 - constant + < a0a0 Utility of not aborting

31
Conclusion Rational fairness is possible! As long as there is a strict preference for fairness in the ideal world (by at least one of the parties) The more pronounced parties preferences are, the more round-efficient the real-world protocol is

32
Extensions and open problems Multi-party case, more general utilities Recent work with Amos Beimel and Ilan Orlov Open: Prove a (partial?) converse of our result Consider stronger notions of equilibrium in the real world Address other concerns besides fairness?

33
Thank you

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google